There are a couple lessons here. The first is that no matter how simple the fix, organizations like the UN cannot do it. Despite the fact a high-school intern can fix the bug in 5-minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug. A project manager needs to coordinate with external consultants. They need to plan the timeline of the change, and verify it works. They need to get agreement from various levels of management who don’t understand cybersecurity and are likely to veto the change.

The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack. The site only contains articles, it contains nothing else interesting (like private financial information). Even with such a simple and obvious vulnerability, they are unlikely to get hacked more than once or twice a year (indeed, it appears they haven’t gotten hacked for the last two years).

Together, both these things means that it’s cheaper for the UN to cleanup after each break-in rather than fix the vulnerability. At least, this is what their management feels.

The UN won't do anything about it until someone uses the site to start hosting malware or they continuously deface the site. Until it becomes a major source of embarrassment for them, they won't do a thing to close it.